Concept of Operations (ConOps) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.1
Generated 2026-03-27 — UHT Journal / universalhex.org
Provide diverse, reliable standby electrical power to nuclear safety-critical loads during loss-of-offsite-power (LOOP) events, ensuring continuous cooling of reactor fuel and preventing core damage. The EDG must start automatically within seconds of grid failure and run continuously until normal power is restored or the reactor reaches a safe shutdown state. As a Class 1 safety system under UK Site Licence Conditions, the EDG is the last line of defence against a station blackout scenario that could lead to uncontrolled radioactive release.
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Control Room Operator | Primary operational interface, monitors status, initiates starts, authorises transfers (Scenarios 1-5) | — |
| Shift Supervisor | Authorises LCO entry/exit, emergency response decisions, maintenance approval (Scenarios 2-3, 5-6) | — |
| Mechanical Technician | Performs maintenance and repairs, responds to failures (Scenarios 2-3, 6) | — |
| I&C Technician | Maintains control/protection systems, calibrates sensors, troubleshoots (Scenarios 2, 4, 6) | — |
| ONR | Regulatory approval of safety case, inspection, enforcement of Site Licence Conditions (all scenarios) | — |
| Licensee | Ultimate safety responsibility, funding, personnel, compliance demonstration (all scenarios) | — |
| EDG OEM | Technical support, spare parts, engineering change notices, qualification documentation | — |
| Local Community | Expects prevention of nuclear accidents through reliable backup power | — |
| Mode | Description |
|---|---|
| Standby Ready | Pre-heated and pre-lubricated, continuous monitoring, ready for instant start → Start signal received → Emergency Start |
| Emergency Start | Air motor cranking, fuel injection, voltage build-up → Rated voltage/frequency achieved in 10-15s → Running Loaded |
| Running Loaded | Full power to safety bus, continuous until grid restored → Offsite power stable, operator authorises → Cooldown Shutdown |
| Cooldown Shutdown | Unloaded running for turbo/engine thermal protection → Engine stopped → Post-shutdown checks then Standby Ready |
| Surveillance Test | Periodic start/load tests per Tech Specs → Test complete, parameters acceptable → Cooldown Shutdown |
| Maintenance Out-of-Service | LOTO applied, work in progress → Work complete, post-maintenance test passed → Standby Ready |
| Degraded Operation | Running with reduced capability → Fault cleared or operator decision → Running Loaded or Cooldown Shutdown |
02:30, control room operator on night shift. Grid voltage drops due to transmission fault 50km away. Undervoltage relays detect loss within 100ms and send start signal to both train A and train B EDGs. Starting air valves open, air motors crank engines to 150 rpm, fuel injectors fire. Train A EDG reaches rated speed in 8 seconds, voltage builds to 6.6kV at 50Hz. Load sequencer connects safety loads in priority order: charging pumps first, then component cooling, then HVAC. Operator monitors from desk displays showing kW, frequency, oil pressure, coolant temp. Train B also running on standby. At 06:45, grid restored, verified stable for 30 minutes. Operator authorises transfer back to grid. Loads transferred, EDGs unloaded, run for 15 minutes cooldown, shut down. Post-run checks: oil level, coolant level, any alarms. Logbook entry made. EDGs returned to standby ready.
LOOP occurs as in Scenario 1. Train A EDG receives start signal but cranks without firing — fuel solenoid stuck closed. Alarm 'EDG-A FAIL TO START' annunciates in control room. Operator acknowledges, verifies Train B EDG has started and is supplying loads. Control room supervisor notified. Operator enters LCO 3.8.1 — one EDG inoperable, 72 hours to restore or begin controlled shutdown. Maintenance called, mechanic dispatched to EDG-A building. Fault diagnosed as stuck fuel rack solenoid. Solenoid replaced, EDG-A started manually and loaded on test bus. Post-maintenance surveillance test satisfactory. EDG-A returned to operable status 6 hours after initial failure. LCO exited. Incident logged and reported per site procedures.
Day 2 of extended LOOP due to regional storm damage. Train A EDG supplying essential loads, Train B on hot standby. At 14:20, Train A trips on high coolant temperature — actual overheating, radiator fan belt failed. Momentary power interruption to Bus A (300ms), Train B auto-starts and syncs in 12 seconds, Bus A restored. Operator verifies loads recovered, no safety system actuation required. With only one EDG available, operator re-evaluates allowed outage time. Maintenance prioritised for Train A. Belt replaced, coolant system flushed and refilled. Train A restarted and tested. Return to normal two-EDG configuration 8 hours after trip. Post-event review identifies fan belt as wear item needing shorter replacement interval.
Scheduled for 10:00 Tuesday during normal reactor operation. Operator prints test procedure, verifies Train A is available for test while Train B remains in standby. Pre-test checks: fuel level, oil level, coolant level, battery voltage, no outstanding defects. Test engineer observes from EDG-A building. Operator initiates fast start from control room simulating LOOP signal. EDG-A starts, reaches rated voltage in 9.8 seconds (acceptance: <10s). Loads sequenced onto test bus per procedure. Run for 2 hours at 75% rated load. Parameters recorded every 15 minutes. All within limits. Unload, cooldown run 15 minutes, shutdown. Post-test inspection: no leaks, no unusual sounds, oil and coolant consumption normal. Test logged as SATISFACTORY. EDG-A returned to standby ready.
Extreme flooding event damages external grid and floods EDG cooling water intake. Both EDGs start but trip within 5 minutes on high coolant temperature — ultimate heat sink unavailable. Station blackout declared. Reactor trips automatically on loss of power. DC batteries supply essential instrumentation (4-hour capacity). Shift Supervisor implements Emergency Operating Procedure for SBO. Portable diesel-driven pump deployed to provide emergency feedwater to steam generators. Site emergency declared, mutual aid requested from neighbouring utility. Mobile diesel generator trucked in (ETA 3 hours). Batteries extended via load shedding. Mobile generator connected to emergency bus after 4.5 hours, just before battery exhaustion. Core cooling maintained throughout. Post-event: flooding vulnerability identified, modifications required to EDG cooling water supply.
Reactor in refuelling outage, reduced decay heat, relaxed LCO requirements. Train A EDG scheduled for 5-yearly overhaul. Work package: replace injectors, valve adjustment, turbocharger inspection, alternator bearing replacement. Formal isolation request approved, LOTO applied. Fuel isolated, batteries disconnected, start air vented. Work duration: 14 days. Daily progress meetings. Any scope changes require formal approval. Upon completion: post-maintenance testing includes slow start, fast start, load run, and 24-hour endurance test. All parameters within specification. Independent verification of LOTO removal. EDG-A returned to operable status. Documentation updated. Quality records archived.
| Category | Constraint |
|---|---|
| Seismic | Seismic Category I, 0.2g PGA design basis earthquake, functional during and after DBE per EUR requirements |
| Environmental | -10°C to +40°C ambient operating range, IP54 enclosure minimum, coastal salt-laden atmosphere compatibility |
| EMC | EMI immunity per IEC 61000-4 series, no spurious actuation from EMI, emissions within limits for co-located safety I&C |
| Regulatory | ONR Safety Assessment Principles (SAPs), IEC 61513 (nuclear I&C), IEC 62645 (cyber security), Site Licence Condition compliance |
| Reliability | 0.975 start-on-demand probability, 0.999 mission reliability for 24-hour run, demonstration via surveillance testing |
| Fuel | 7-day minimum fuel inventory at 100% rated load, fuel quality per EN 590, water/contamination monitoring, diverse supply routes |
| Time | Start and reach rated voltage/frequency within 10 seconds of LOOP signal, full load acceptance within 15 seconds |
| System | Interface | Hex Code |
|---|---|---|
| National Grid | Primary power source, LOOP detection triggers EDG start, return-to-service requires grid stability verification | 54F77258 |
| Emergency AC Bus | EDG output connects via generator breaker, load sequencer controls connection of safety loads, voltage 6.6kV nominal | — |
| Ultimate Heat Sink | Raw water cooling for engine jacket/aftercooler if water-cooled design, availability during LOOP essential | 02850011 |
| Plant Protection System | Receives LOOP signal for auto-start, provides EDG status for safeguards logic, hardwired or qualified digital | 51F77859 |
| Main Control Room | EDG status display, manual start/stop, alarm annunciation, parameter monitoring (kW, Hz, V, oil pressure, coolant temp) | — |
| Fuel Supply | Road tanker delivery, bulk tanks (50,000L typical), automatic transfer to day tank, level monitoring to site systems | 46851259 |
| DC Battery System | 125VDC for control power, starting battery (24VDC for air start valves), battery charger fed from EDG output | — |
flowchart TB n0["system<br>Emergency Diesel Generator"] n1["actor<br>National Grid"] n2["actor<br>Emergency AC Bus"] n3["actor<br>Plant Protection System"] n4["actor<br>Main Control Room"] n5["actor<br>Ultimate Heat Sink"] n6["actor<br>Fuel Supply"] n7["actor<br>DC Battery System"] n1 -->|LOOP signal| n0 n0 -->|6.6kV AC power| n2 n3 -->|Start/stop commands| n0 n0 -->|Status signals| n3 n0 -->|HMI data| n4 n4 -->|Manual controls| n0 n5 -->|Cooling water| n0 n6 -->|Diesel fuel| n0 n7 -->|Control/start power| n0
EDG System Context